TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

F5 Labs

From DDoS to Server Ransomware: Apache Struts 2 – CVE-2017-5638 Campaign

2017-03-27 · Read original ↗

ATT&CK techniques detected

9 predictions
T1486Data Encrypted for Impact
99%
“13 : apache struts exploit delivering windows ransomware once running, the malware encrypts the files and shows an image with a ransom message, as shown in figure 14. figure 14 : ransom message once infected figure 14 : ransom message once infected as per the usual ransomware met…”
T1190Exploit Public-Facing Application
95%
“from ddos to server ransomware : apache struts 2 – cve - 2017 - 5638 campaign a common infection vector used by botnet creators is scanning the internet for web vulnerabilities to exploit for malware or back doors. the advantage of hitting servers over personal consumer devices i…”
T1190Exploit Public-Facing Application
95%
“threat actors using older web vulnerabilities in their campaigns can adapt to switch to newly released zero - days to deliver the same payloads. this gives them a new vulnerability window to exploit while the defenders install patches. the new vulnerability in apache struts provi…”
T1071Application Layer Protocol
79%
“also leverages the less common “ fetch ” program as well as a special mode of the “ wget ”. by using the “ wget – qo – “ options, the malware file is downloaded but is not actually written to a file on the disk. instead, the content is redirected to the perl interpreter for execu…”
T1486Data Encrypted for Impact
78%
“figure 11 : shellshock exploit delivers “ a ” spearhead bash script figure 11 : shellshock exploit delivers “ a ” spearhead bash script figure 12 : crypto currency miner configuration figure 12 : crypto currency miner configuration expanding to server ransomware delivering linux …”
T1190Exploit Public-Facing Application
76%
“slight modification of the original public exploit2. figure 1 : cve - 2017 - 5638 campaign figure 1 : cve - 2017 - 5638 campaign the exploit triggers the vulnerability via the content - type header value, which the attacker customized with shell commands to be executed if the ser…”
T1679Selective Exclusion
62%
“13 : apache struts exploit delivering windows ransomware once running, the malware encrypts the files and shows an image with a ransom message, as shown in figure 14. figure 14 : ransom message once infected figure 14 : ransom message once infected as per the usual ransomware met…”
T1588.006Vulnerabilities
59%
“get the list of installed security products then it traverses through files and folders resulted from the query, and adds them to a firewall rule if they are executables. figure 18 : adding firewall rules to block security products communication figure 18 : adding firewall rules …”
T1584.005Botnet
32%
“also leverages the less common “ fetch ” program as well as a special mode of the “ wget ”. by using the “ wget – qo – “ options, the malware file is downloaded but is not actually written to a file on the disk. instead, the content is redirected to the perl interpreter for execu…”

Summary

A common infection vector used by botnet creators is scanning the Internet for web vulnerabilities to exploit for malware or back doors. The advantage of hitting servers over personal consumer devices is the ability to leverage powerful hardware that is...